def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
# Scan each process memory block
for task in pstasks.mac_tasks(self._config).calculate():
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))
def get_process_address_space(self):
cr3 = self.task.map.pmap.pm_cr3
map_val = str(self.task.map.pmap.pm_task_map or '')
# if the machine is 64 bit capable
is_64bit_cap = common.is_64bit_capable(self.obj_vm)
if map_val == "TASK_MAP_32BIT" and is_64bit_cap:
# A 32 bit process on a 64 bit system, requires 64 bit paging
# Catch exceptions when trying to get a process AS for kernel_task
# which isn't really even a process. It needs to use the default cr3
try:
proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
self.obj_vm.get_config(),
dtb=cr3,
skip_as_check=True)
except IOError:
proc_as = self.obj_vm
elif map_val == "TASK_MAP_32BIT":
# A 32 bit process on a 32 bit system need
# bypass b/c no sharing of address space
proc_as = intel.IA32PagedMemoryPae(self.obj_vm.base,
self.obj_vm.get_config(),
dtb=cr3,
skip_as_check=True)
elif (map_val == "TASK_MAP_64BIT_SHARED"
and self.obj_vm.profile.metadata.get('memory_model',
'32bit') == "32bit"):
# A 64 bit process running on a 32 bit system
proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
self.obj_vm.get_config(),
dtb=cr3,
skip_as_check=True)
elif map_val in ["TASK_MAP_64BIT", "TASK_MAP_64BIT_SHARED"]:
# A 64 bit process on a 64 bit system
cr3 &= 0xFFFFFFE0
proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
self.obj_vm.get_config(),
dtb=cr3,
skip_as_check=True)
else:
proc_as = obj.NoneObject(
"Cannot get process AS for pm_task_map: {0}".format(map_val))
return proc_as
def calculate(self):
## we need this module imported
if not has_yara:
debug.error(
"Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model',
'32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol(
"_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long",
offset=vm_addr,
vm=self.addr_space)
scanner = malfind.DiscontigYaraScanner(
rules=rules, address_space=self.addr_space)
for hit, address in scanner.scan(start_offset=kernel_start):
yield (None, address, hit,
scanner.address_space.zread(
address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan(
max_size=self._config.MAX_SIZE):
yield (task, address, hit,
scanner.address_space.zread(
address - self._config.REVERSE,
self._config.SIZE))
def get_process_address_space(self):
cr3 = self.task.map.pmap.pm_cr3
map_val = str(self.task.map.pmap.pm_task_map or '')
# if the machine is 64 bit capable
is_64bit_cap = common.is_64bit_capable(self.obj_vm)
if map_val == "TASK_MAP_32BIT" and is_64bit_cap:
# A 32 bit process on a 64 bit system, requires 64 bit paging
# Catch exceptions when trying to get a process AS for kernel_task
# which isn't really even a process. It needs to use the default cr3
try:
proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
self.obj_vm.get_config(), dtb = cr3, skip_as_check = True)
except IOError:
proc_as = self.obj_vm
elif map_val == "TASK_MAP_32BIT":
# A 32 bit process on a 32 bit system need
# bypass b/c no sharing of address space
proc_as = intel.IA32PagedMemoryPae(self.obj_vm.base,
self.obj_vm.get_config(), dtb = cr3,
skip_as_check = True)
elif (map_val == "TASK_MAP_64BIT_SHARED" and
self.obj_vm.profile.metadata.get('memory_model', '32bit') == "32bit"):
# A 64 bit process running on a 32 bit system
proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
self.obj_vm.get_config(), dtb = cr3,
skip_as_check = True)
elif map_val in ["TASK_MAP_64BIT", "TASK_MAP_64BIT_SHARED"]:
# A 64 bit process on a 64 bit system
cr3 &= 0xFFFFFFE0
proc_as = amd64.AMD64PagedMemory(self.obj_vm.base,
self.obj_vm.get_config(), dtb = cr3,
skip_as_check = True)
else:
proc_as = obj.NoneObject("Cannot get process AS for pm_task_map: {0}".format(map_val))
return proc_as
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xC0000000
else:
kernel_start = 0xFFFFFF8000000000
scanner = malfind.DiscontigYaraScanner(rules=rules, address_space=self.addr_space)
for hit, address in scanner.scan(start_offset=kernel_start):
yield (
None,
address,
hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE),
)
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
yield (
task,
address,
hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE),
)
def calculate(self):
## we need this module imported
if not has_yara:
debug.error(
"Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model',
'32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(
rules=rules, address_space=self.addr_space)
for hit, address in scanner.scan(start_offset=kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
# Scan each process memory block
for task in pstasks.mac_tasks(self._config).calculate():
scanner = MapYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))